134 Cloud Computing
more difficult, since such certificates have traditionally not been
easy to obtain.
5.2.2 How Encrypted Federation Differs from Trusted
Federation
Verified federation serves as a foundation for encrypted federation, which
builds on it concepts by requiring use of TLS for channel encryption. The
Secure Sockets Layer (SSL) technology, originally developed for secure com-
munications over HTTP, has evolved into TLS. XMPP uses a TLS profile
that enables two entities to upgrade a connection from unencrypted to
encrypted. This is different from SSL in that it does not require that a sepa-
rate port be used to establish secure communications. Since XMPP S2S
communication uses two connections (bi-directionally connected),
encrypted federation requires each entity to present a digital certificate to
the reciprocating party.
Not all certificates are created equal, and trust is in the eye of the
beholder. For example, I might not trust your digital certificates if your cer-
tificate is “self-signed” (i.e., issued by you rather than a recognized CA), or
your certificate is issued by a CA but I don’t know or trust the CA. In either
case, if Joe’s server connects to Ann’s server, Ann’s server will accept the
untrusted certificate from Joe’s server solely for the purpose of bootstrap-
ping channel encryption, not for domain verification. This is due to the fact
that Ann’s server has no way of following the certificate chain back to a
trusted root. Therefore both servers complete the TLS negotiation, but
Ann’s server then require’s Joe’s server to complete server Dialback.
In the trusted federation scenario, Dialback can be avoided if, after
using TLS for channel encryption, the server verifying identity proceeds to
use the SASL protocol for authentication based on the credentials presented
in the certificates. In this case, the servers dispense with server Dialback,
because SASL (in particular the EXTERNAL mechanism) provides strong
authentication.
5.2.3 Federated Services and Applications
S2S federation is a good start toward building a real-time communications
cloud. Clouds typically consist of all the users, devices, services, and applica-
tions connected to the network. In order to fully leverage the capabilities of
this cloud structure, a participant needs the ability to find other entities of
interest. Such entities might be end users, multiuser chat rooms, real-time
Chap5.fm Page 134 Friday, May 22, 2009 11:25 AM
Federation in the Cloud 135
content feeds, user directories, data relays, messaging gateways, etc. Finding
these entities is a process called discovery.
XMPP uses service discovery (as defined in XEP-0030) to find the
aforementioned entities. The discovery protocol enables any network partic-
ipant to query another entity regarding its identity, capabilities, and associ-
ated entities. When a participant connects to the network, it queries the
authoritative server for its particular domain about the entities associated
with that authoritative server.
In response to a service discovery query, the authoritative server informs
the inquirer about services hosted there and may also detail services that are
available but hosted elsewhere. XMPP includes a method for maintaining
personal lists of other entities, known as roster technology, which enables
end users to keep track of various types of entities. Usually, these lists are
comprised of other entities the users are interested in or interact with regu-
larly. Most XMPP deployments include custom directories so that internal
users of those services can easily find what they are looking for.
5.2.4 Protecting and Controlling Federated Communication
Some organizations are wary of federation because they fear that real-time
communication networks will introduce the same types of problems that are
endemic to email networks, such as spam and viruses. While these concerns
are not unfounded, they tend to be exaggerated for several reasons:
Designers of technologies like XMPP learned from past problems
with email systems and incorporated these lessons to prevent
address spoofing, unlimited binary attachments, inline scripts, and
other attack tactics in XMPP.
The use of point-to-point federation will avoid problem that occur
with multihop federation. This includes injection attacks, data
loss, and unencrypted intermediate links.
Using certificates issued by trusted root CAs ensures encrypted
connections and strong authentication, both of which are currently
feasible with an email network.
Employing intelligent servers that have the ability to blacklist
(explicitly block) and whitelist (explicitly permit) foreign services,
either at the host level or the IP address level, is a significant miti-
gating factor.
Chap5.fm Page 135 Friday, May 22, 2009 11:25 AM
136 Cloud Computing
5.2.5 The Future of Federation
The implementation of federated communications is a precursor to build-
ing a seamless cloud that can interact with people, devices, information
feeds, documents, application interfaces, and other entities. The power of a
federated, presence-enabled communications infrastructure is that it enables
software developers and service providers to build and deploy such applica-
tions without asking permission from a large, centralized communications
operator. The process of server-to-server federation for the purpose of inter-
domain communication has played a large role in the success of XMPP,
which relies on a small set of simple but powerful mechanisms for domain
checking and security to generate verified, encrypted, and trusted connec-
tions between any two deployed servers. These mechanisms have provided a
stable, secure foundation for growth of the XMPP network and similar real-
time technologies.
5.3 Presence in the Cloud
Understanding the power of presence is crucial to unlocking the real poten-
tial of the Internet. Presence data enables organizations to deploy innovative
real-time services and achieve significant revenue opportunities and produc-
tivity improvements. At the most fundamental level, understanding pres-
ence is simple
:
It provides true-or-false answers to queries about the network
availability of a person, device, or application. Presence is a core component
of an entity’s
real-time
identity. Presence serves as a catalyst for communica-
tion. Its purpose is to signal availability for interaction over a network. It is
being used to determine availability for phones, conference rooms, applica-
tions, web-based services, routers, firewalls, servers, appliances, buildings,
devices, and other applications. The management of presence is being
extended to capture even more information about availability,
or even the
attributes associated with such availability
, such as a person’s current activity,
mood, location (e.g., GPS coordinates), or preferred communication
method (phone, email, IM, etc.). While these presence extensions are inno-
vative and important, they serve mainly to supplement the basic informa-
tion about an entity’s network connectivity, which remains the core purpose
of presence.
Presence is an enabling technology for peer-to-peer interaction. It first
emerged as an aspect of communication systems, especially IM systems such
as ICQ, which allowed users to see the availability of their friends. The huge
role that IM has had in establishing presence is evident with the protocols
Chap5.fm Page 136 Friday, May 22, 2009 11:25 AM
Presence in the Cloud 137
available today, such as Instant Messaging and Presence Service (IMPS),
Session Initiation Protocol (SIP) for Instant Messaging and Presence Lever-
aging Extensions (SIMPLE), the Extensible Messaging and Presence Proto-
col (XMPP), first developed in the Jabber open source community and
subsequently ratified as an Internet standard by the IETF.
Implementation of presence follows the software design pattern known
as publish-and-subscribe (pub-sub). This means that a user or application
publishes information about its network availability to a centralized location
and that information is broadcast to all entities that are authorized to
receive it. The authorization usually takes the form of a subscription. In IM
implementations, contacts or buddies are the authorized entities. The popu-
larity of these services among millions of people validated the value of the
concept of presence.
For enterprise solutions, the limits of consumer-based IM services
quickly became clear when enterprises tried to integrate presence into
business-critical systems and services. Because business organizations
require a great deal more control and flexibility over the technologies they
deploy, they needed a presence solution that could provide separation
between the presence service and the communication mechanisms (e.g.,
IM or VoIP) that presence enables. Any solution had to be scalable, exten-
sible, and support a distributed architecture with its own presence domain.
It should not overload the network and should support strong security
management, system authentication, and granular subscription authoriza-
tion. Also, any device or application should be able to publish and sub-
scribe to presence information. Enterprise solutions should have the ability
to federate numerous cross-protocol presence sources and integrate pres-
ence information from multiple sources. Any solution should be able to
access presence data via multiple methods. The ability to integrate pres-
ence information with existing organizational infrastructure such as active
directory is very important. Being able to publish content and allow other
people and/or applications to subscribe to that information ensures that
updates and changes are done in real time based on the presence/availabil-
ity of those people/applications.
5.3.1 Presence Protocols
Proprietary, consumer-oriented messaging services do not enable enterprises
or institutions to leverage the power of presence. A smarter approach is to
use one of the standard presence protocols, SIMPLE or XMPP. is an instant
Chap5.fm Page 137 Friday, May 22, 2009 11:25 AM
138 Cloud Computing
messaging and presence protocol suite based on SIP and managed by the
Internet Engineering Task Force (IETF). XMPP is the IETF’s formalization
of the core XML messaging and presence protocols originally developed by
the open source Jabber community in 1999. These protocols have been in
wide use on the Internet for over five years. Both of these protocols will be
explained in greater detail in Chapter 7.
The modern, reliable method to determine another entity’s capabilities
is called
service discovery,
wherein applications and devices exchange infor-
mation about their capabilities directly, without human involvement. Even
though no framework for service discovery has been produced by a stan-
dards development organization such as the IETF, a capabilities extension
for SIP/SIMPLE and a robust, stable service discovery extension for XMPP
does exist.
The SIMPLE Working Group is developing the technology to embed
capabilities information within broadcasted presence information. A capa-
bility already exists in a widely-deployed XMPP extension. Together, service
discovery and capabilities broadcasts enable users and applications to gain
knowledge about the capabilities of other entities on the network, providing
a real-time mechanism for additional use of presence-enabled systems.
5.3.2 Leveraging Presence
The real challenge today is to figure out how to leverage the power of pres-
ence within an organization or service offering. This requires having the
ability to publish presence information from a wide range of data sources,
the ability to receive or embed presence information in just about any plat-
form or application, and having a robust presence engine to tie ubiquitous
publishers and subscribers together.
It is safe to assume that any network-capable entity can establish pres-
ence. The requirements for functioning as a presence publisher are fairly
minimal. As a result, SIP software stacks are available for a wide range of
programming languages and it is relatively easy to add native presence pub-
lishing capabilities to most applications and devices. Enabling devices and
applications to publish presence information is only half of the solution,
however; delivering the right presence information to the right subscribers
at the right time is just as important.
Chap5.fm Page 138 Friday, May 22, 2009 11:25 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.